Honeypots

[Geek]

I've got a handful of leftover IP4's in my current Q.A. box. Not wanting them to go to waste, I kicked around the idea of spooling up a couple of containers and turning them into honeypots, and yesterday evening I configured Kippo. I liked the idea, you know, making them look like mail servers or something, use an old domain and make it look like a blown out open relay with a funky RDNS like "oldmx1" or "samba" and put a Lorum Ipsum template up in front of it. Seems sort of devious. Have already logged a few instances where someone tried to pull their bots down and run them. Happened faster than I'd imagined. 

Anyway, earlier this morning a thought came to mind -- is there going to be a greater risk to the network for running these suckers? I mean it's not in production, and so far the attempts have been minimal at the very least, I just don't want to give the facility any trouble - plus there was no clause in the ToS about it - but I've never really maintained one before. Are there any other tools out there like Kippo that I could mess around with?

Have a good weekend.

 

[wlanboy]

The traffic is always hitting your ips - you just left open one door.

You should not have a lot of these doors on the same subnet because some people might think that this subnet might be a easy target and they start to look into that subnet with more care.

But all the actions you can track on your honeypot are scripted actions.

There is no person there typing in the commands (most of the time), so there is no person that can get pissed and would try to send a DDOS afterwards.

 

[MeanServers]

There are definitely risks to running Honnypots and as wlanboy pointed out, it can damage the reputation of your IP subnet. I wouldn't run any Honnypots if you are running a production network, or maybe run them somewhere else. Just took risky for your own business.